1 Answer
- Newest
- Most votes
- Most comments
1
You can create a custom IAM policy named "all-users" with the following JSON policy document to achieve the requirements:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:DeactivateMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": "iam:DeleteVirtualMFADevice",
"Resource": "arn:aws:iam::*:mfa/${aws:username}",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
This policy will allow users to create and list MFA devices and tags, enable and deactivate their own MFA devices, and delete their own virtual MFA devices if MFA is enabled.
Relevant content
- asked 2 years ago
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Why don't you post what you think should work, and what goes wrong? Then we can suggest adjustments.